For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ygaudet67's avatar
ygaudet67
Icon for Nimbostratus rankNimbostratus
Nov 02, 2018

Adding Application Security Policy using tmsh

I am using tmsh to create nodes, pools, VS, etc as well as assigning the http profile, ssl client, ssl server profiles and snatpools. It all works but I can't figure out how to Enable "Application S...
ASM Advanced WAF
security
TMSH
crodriguez's avatar
crodriguez
Ret. Employee
Nov 02, 2018

To "reverse engineer" the TMSH configuration settings that correspond to a particular GUI setting, you can list the object from TMSH first, make the change via the GUI, then list the object from TMSH again to view the differences. For example, I added an application security policy to a virtual server from the GUI, and below are the "before" and "after" pictures...

Here's the virtual server configuration before adding the ASM security policy. Note the current profiles settings and the lack of a policies setting:

ltm virtual http_vs {
    creation-time 2018-10-12:09:07:49
    destination 10.10.4.100:http
    ip-protocol tcp
    last-modified-time 2018-11-02:13:51:42
    mask 255.255.255.255
    pool http_pool
    profiles {
        http { }
        httpcompression { }
        tcp { }
    }
    rules {
        test
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vs-index 53
}

Here's the configuration after adding the policy named my_security_policy to the virtual server. Notice the addition of the "profiles" named ASM_my_test_policy and websecurity. Also, notice the addition of the local traffic policy named asm_auto_17_policy__http_vs. 

ltm virtual http_vs {
    creation-time 2018-10-12:09:07:49
    destination 10.10.4.100:http
    ip-protocol tcp
    last-modified-time 2018-11-02:13:27:25
    mask 255.255.255.255
    policies {
        asm_auto_l7_policy__http_vs { }
    }
    pool http_pool
    profiles {
        ASM_my_test_policy { }
        http { }
        httpcompression { }
        tcp { }
        websecurity { }
    }
    rules {
        test
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vs-index 53
}

There may be other ASM database settings at play but this should give you enough to be able to assign the security policy (and the local traffic policy) to the virtual server from tmsh.